While US mass surveillance is heavily debated across Europe, the new Polish government swiftly moved to adopt a new set of laws which allow Polish law enforcement authorities extensive access to electronic communications. The new law, generally known as the “Surveillance Act”, came into effect on February 7, 2016.
Who are caught by new rules?
The new law applies mostly to domestic service providers, however due to the lack of clarity of the provisions, it is still unclear whether foreign service providers will be caught as well. Much will depend on the interpretation of the law enforcement authorities.
- The “uniformed” enforcement authorities (e.g. Polish Police, Intelligence Agency, tax intelligence services etc.) will now have increased rights of access to digital data.
- Their access will only be monitored in limited circumstances by regional courts.
- Telecom companies, postal operators and e-service providers will be required to provide the data free of charge by establishing and maintaining an “access route”.
- New rules for handling data containing or likely to contain client-attorney privileged content – investigators will now be able to access all data, before the court approves the use of such data in the investigation. This change will make the control exercised by court an illusion.
- Surveillance by enforcement authorities can last up to 18 months; during this time the suspect is not aware of the surveillance, neither is he/she informed when the surveillance ends.
- The issue of encryption is not addressed, so Polish law still allows encryption.
What is the concern?
- Vast scope of data which may be “covertly” accessed by the Polish authorities. This new law considerably impairs an individual’s ability to protect their private or confidential information, including legally privileged secrets, intellectual property. The amendments provide that the Polish authorities will now have a right to obtain and record, e.g.:
- Correspondence, including emails (prior court approval is however required for emails) : this category may include correspondence sent by means of computer applications (e.g. mobile) and certain internet portal functionalities (e.g. chat).
- Data stored on IT systems – it is possible that the Polish authorities may be authorised to use malware installed on the users’ devices to systematically access and download data stored in these systems
- Data regarding the use of e-services – this includes the user’s full name, PESEL number, residential address, e-mail address, IP address, as well as information on scope of use of the e-service (i.e. “meta-data”). This raises concerns that use of social media, websites and cloud services will be monitored.
What should you do?
We recommend you take the following action:
- Introduce a “risk assessment system/process” to evaluate the risk associated with the processing of certain business information, implement or scrutinize your current policies (e.g. information security policies, IT procedures etc.) and revisit contracts with IT solution providers.
- Consider increasing the level of security of your confidential information by using adequate IT data protection technologies (including data or email message encryption software).
- When in doubt – consider limiting electronic communications for certain types of data (i.e. communications with your lawyers), storing certain categories of documents separately to avoid access.
The Commissioner for Human Rights (Polish Ombudsman) filed a petition to the Constitutional Court to assess the legality of the new law. Until the verdict of the Constitutional Court is issued, this law is deemed to be lawful and binding in Poland.